Help a buddy prank his colleagues! Show your mettle with spoofing emails, malicious attachments, spoofing sms, and spoofing phone calls to get access to voicemail
Social Engineering Challenges
These challenges require a user to successfully spoof emails, clone website login forms, spoof sms, spoof caller id to get into voicemail, and the like. It is recommended to have Kali installed in a VM to have all the tools available you need to complete them.
SETUP:
###Step 1
*NOTE - if you get an error while deploying, wait 60 seconds and try again. The phantomjs buildpack used in this deploy fails intermittently on build when heroku has trouble establishing a connection to bitbucket, but it’s always worked for me after a couple tries.
###Step 2
###Step 3 (Optional, involves Paid Services)
- Only required for optional Challenges 4 and 5
- Requires an account on a paid service, Twilio to setup.
- Also requires people to use paid accounts to solve with sms/voice spoofing providers.
- Configure Twilio
Challenges:
Challenge 1: Spoof an email with your own custom reply-to.
Challenge 2: Spoof an email with linked phishing site, harvest credentials.
Challenge 3: Spoof an email with booby-trapped attachment that opens a reverse shell session.
Optional: Challenge 4: Spoof an SMS (using a paid service), asking person to change a password on something as their boss.
Optional: Challenge 5: Spoof a phone call’s caller ID (using a paid service), use to retrieve voicemail. Attack in the wild
Note that useful information for testing and debugging will be logged to the Papertrail app in your heroku instance. Open papertrail to view those streaming logs.